From: Casey Bodley <cbodley@redhat.com>
Date: Mon, 22 Oct 2018 18:13:21 +0000 (-0400)
Subject: rgw: add helper function rgw_transport_is_secure()
X-Git-Tag: v12.2.11~119^2~2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=8d7a68933378b68b149619aa1b54cf5942c92a28;p=ceph.git

rgw: add helper function rgw_transport_is_secure()

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 73d355f)
Signed-off-by: Jonathan Brielmaier <jbrielmaier@suse.de>

Conflicts:
	src/rgw/rgw_common.cc: adapt state around new function
---

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 96007f39856..6a640600f30 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1080,6 +1080,31 @@ string RGWHTTPArgs::sys_get(const string& name, bool * const exists) const
   return e ? iter->second : string();
 }
 
+bool rgw_transport_is_secure(CephContext *cct, const RGWEnv& env)
+{
+  const auto& m = env.get_map();
+  // frontend connected with ssl
+  if (m.count("SERVER_PORT_SECURE")) {
+    return true;
+  }
+  // ignore proxy headers unless explicitly enabled
+  if (!cct->_conf->rgw_trust_forwarded_https) {
+    return false;
+  }
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
+  // Forwarded: by=<identifier>; for=<identifier>; host=<host>; proto=<http|https>
+  auto i = m.find("HTTP_FORWARDED");
+  if (i != m.end() && i->second.find("proto=https") != std::string::npos) {
+    return true;
+  }
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
+  i = m.find("HTTP_X_FORWARDED_PROTO");
+  if (i != m.end() && i->second == "https") {
+    return true;
+  }
+  return false;
+}
+
 bool verify_user_permission(struct req_state * const s,
                             RGWAccessControlPolicy * const user_acl,
                             const int perm)
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 04f6d5fc95f..8e927ec9391 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -420,6 +420,10 @@ public:
   const std::map<string, string, ltstr_nocase>& get_map() const { return env_map; }
 };
 
+// return true if the connection is secure. this either means that the
+// connection arrived via ssl, or was forwarded as https by a trusted proxy
+bool rgw_transport_is_secure(CephContext *cct, const RGWEnv& env);
+
 enum http_op {
   OP_GET,
   OP_PUT,